3

I'll readily admit I'm pretty clueless when it comes to cryptography, so there may already be some false assumptions in the question title itself :-)

Still, I "heard" that it is more secure to store the hashes of the username/password combinations than only the hashes of the passwords. (Salting?)

If so, are windows user passwords stored like this? (And if not, are they stored somehow differently that "only" the password hash?)

Martin
  • 1,247
  • 2
  • 12
  • 19

1 Answers1

5

The file containing passwords in Windows clients is called the SAM file. All passwords stored locally in the SAM file (e.g. local accounts) are hashed with a salt.

Active Directory on the other hand will store passwords without a hash, but in a different file on the Domain Controller. Domain account passwords are stored locally by default for users to be able to sign on when they cannot connect to a DC, and these passwords are hashed with a salt as well.

See here: Does Windows really still use unsalted MD4 for password storage?

Steve
  • 15,155
  • 3
  • 37
  • 66
  • I'm still left confused what's with the passwords on my *local PC* (not part of a Domain). Googling for SAM file doesn't really enlighten me. Sorry for being dense here :-) – Martin Oct 24 '11 at 14:49
  • @Martin edited... :) – Steve Oct 24 '11 at 14:56
  • Thanks! Now I'll be so bold to ask clarification on whether the Salt is the user name (or whether this matters at all)? :-) – Martin Oct 24 '11 at 15:12
  • You know, I don't actually know. I would assume it's a randomly generated value, but don't quote me on it. Does it matter? Hard to sayt: http://security.stackexchange.com/questions/8015/what-should-be-used-as-a-salt – Steve Oct 24 '11 at 15:26
  • I know this was asked 6 years ago! But are you sure that the SAM file is salted? LAN and NTLM is stored in the SAM file and Im sure they are not salted. – Anderson Jun 11 '18 at 10:37
  • The value used to validate a local offline password is a salted hash. The SAM also includes various other things for caches. Those values are necessarily not hashed, but encrypted. Those cached values generally only apply in domain scenarios. – Steve Jun 11 '18 at 15:48